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(57) In a mutual authentication method for use be- 
tween a recording apparatus which records copied con- 
tents on a recording medium having an arithmetic 
processing function, and the recording medium, the 
method includes a step of storing in the recording me- 
dium at least first information (MID) which depends on 
the recording medium, and second information (SMID) 
which is to be shared by the recording apparatus in ex- 
ecuting mutual authentication with the recording appa- 
ratus and depends on the recording medium, and a step 
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of generating by the recording apparatus authentication 
informatiori (K|^[MID]) used in mutual authentication 
with the recording medium on the basis of the first infor- 
mation (MID) obtained from the recording medium, and 
executing mutual authentication between the recording 
apparatus and the recording medium using the gener- 
ated authentication information (K^IMID]) and the sec- 
ond information (SMID). 
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Description 

[0001] The present invention relates to a mutual au- 
thentication method for use among a recording appara- 
tus, reproducing apparatus, and recording medium, us- 
ing a contents management technique that protects 
copyrights by limiting the number of copied contents, 
and a recording apparatus, reproducing apparatus, and 
recording medium using the method. 
[0002] Conventionally, contents (literary works and 
the like) have undergone copy management. More spe- 
cifically, by managing copy generations or the number 
of copies, copyright protection and use are balanced. 
[0003] On the other hand, the concept "move" has ap- 
peared as an alternative to copy management. "Copy" 
does not erase original data, but "move" transfers data 
to another location (recording medium) and erases orig- 
inal data. As a result, a protection technique against 
"move" has appeared. Such technique has emerged 
due to digitalization of contents and prevalence of net- 
works and the like. 

[0004] IHowever, in recent years, since copies faithful 
to an original can be formed via the network or the like, 
it becomes difficult for the conventional technique to re- 
liably protect copyrights. Particularly, tt is hard to reliably 
protect copyrights against unlimited moves from medi- 
um to medium, e.g., profit-making distribution (by 
means of move) of data. 

[0005] it is an object of the present invention to pro- 
vide a mutual authentication method which can assure 
high information security between a recording medium 
and a recording apparatus that records copied contents 
on the recording medium, and between a recording me- 
dium and a reproducing apparatus which reproduces 
copied contents recorded on the recording medium, and 
a contents recording apparatus, reproducing apparatus, 
and recording medium using the method. 
[0006] According to one aspect of the present inven- 
tion, there Is provided a mutual authentication method 
for use between a recording apparatus which records 
copied contents on a recording medium having an arith- 
metic processing function, and the recording medium, 
the method comprising the steps of: storing in the re- 
cording medium at least first information which depends 
on the recording medium, and second information which 
is to be shared by the recording apparatus in executing 
mutual authentication with the recording apparatus and 
depends on,the recording medium; and generating by 
the recording apparatus authentication information 
used In mutual authentication with the recording medi- 
um on the basis of the first information obtained from 
the recording medium, and executing mutual authenti- 
cation between the recording apparatus and the record- 
ing medium using the generated authentication informa- 
tion and the second information. 
[0007] According to another aspect of the present in- 
vention, there is provided a mutual authentication meth- 
od for use between a reproducing apparatus which re- 



produces copied contents recorded on a recording me- 
dium having an arithmetic processing function, and the 
recording medium, the method comprising the steps of: 
storing in the recording medium at least tirst information 
which depends on the recording medium, and second 
information which is to be shared by the reprodudng ap- 
paratus in executing mutual authentication with the re- 
producing apparatus and depends on the recording me- 
dium; and generating by the reproducing apparatus au- 
thentication information used in mutual authentication 
with the recording medium on the basis of the first infor- 
mation obtained from the recording medium, and exe- 
cuting mutual authentication between the reproducing 
apparatus and the recording medium using the gener- 
ated authentication information and the second informa- 
tion. 

[0008] According to still another aspect of the present 
invention, there is provided a recording apparatus for 
recording copied contents on a recording medium while 
limiting the number of copied contents to be recorded 
on the recording medium, the apparatus comprising: 
generation means for generating authentication infor- 
mation, which is used In mutual authentication with the 
recording medium and is to be shared by the recording 
medium, on the basis of first information which is ob- 
tained from the recording medium and depends on the 
recording medium; and mutual authentication means for 
executing mutual authentication with the recording me- 
dium using the authentication information generated by 
the generation means. 

[0009] According to still another aspect of the present 
invention, there is provided a reproducing apparatus for 
reproducing copied contents recorded on a recording 
medium while limiting the number of copied contents to 
be recorded on the recording medium, the apparatus 
comprising: generation means for generating authenti- 
cation information, which Is used in mutual authentica- 
tion with the recording medium and is to be shared by 
the recording medium, on the basis of first information 
which Is obtained from the recording medium and de- 
pends on the recording medium; and mutual authenti- 
cation means for executing mutual authentication with 
the recording medium using the authentication informa- 
tion generated by the generation means. 
[001 0] According to still another aspect of the present 
invention, there is provided a recording medium having 
an arithmetic processing function, comprising: storage 
means for pre-storing tirst information which is unique 
to the recording medium, and second information which 
Is to be shared by a recording apparatus for recording 
copied contents on the recording medium and a repro- 
ducing apparatus for reproducing the copied contents 
in executing mutual authentication among the recording 
medium, the recording apparatus, and the reproducing 
apparatus, and depends on the recording medium; and 
mutual authentication means for executing mutual au- 
thentication between the recording medium and the re- 
cording apparatus, and between the recording medium 
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and the reproducing apparatus using authentication in- 
formation generated based on the first information by 
the recording apparatus and the reproducing apparatus, 
and the second information. 

[0011] This summary of the invention does not nec- 5 
essarily describe all necessary features so that the in- 
vention may also be a sub-combination of these de- 
scribed features. 

[0012] The invention can be more fully understood 
from the following detailed description when taken in 
conjunction with the accompanying drawings, in which: 

FIG. 1 is a block diagram showing an example of 
the arrangement of a music contents use manage- 
ment system (LCM) using a contents management 
technique for limiting the number of copied contents 
that can be recorded on a recording medium ac- 
cording to an embodiment of the present Invention; 
FIG. 2 shows an example of the map of a memory 
area; 

FIG. 3 is a block diagram showing an example of 
the internal arrangement of a recording/reproduc- 
ing device (PD); 

FIGS. 4A to 4C are views for explaining the features 
of three different recording media; 
FIG. 5 is a block diagram showing an example of 
the internal arrangement of a medium interface (1/ 

F); 

FIG. 6 is a view for explaining the recorded contents 
of a recording medium after check-in; 
FIGS. 7A to 7C show storage examples of guest 
books stored in a secret area of an LCM; 
FIGS. 8A and 8B are views for explaining an outline 
of a mutual authentication method; 
FIG. 9 is a flow chart for explaining a check-in/ 
check-out process sequence; 
FIG. 10 is a chart for explaining a sequence of 
check-out when the type of recording medium is lev- 
el 2; 

FIG. 11 is a chart for explaining a sequence of re- 
production when the type of recording medium is 
level 2; 

FIG. 12 is a chart for explaining a sequence of 
check-in when the type of recording medium is level 

2; 

FIG. 1 3 Is a chart for explaining another sequence 
of check-out when the type of recording medium,is 
level 2; 

FIG. 14 is a chart for explaining another sequence 
of reproduction when the type of recording medium 
is level 2; 

FIG. 15 is a chart for explaining a sequence of 
check-out when the type of recording medium is lev- 
el 0; 

FIG. 1 6 is a chart for explaining a sequence of re- 
production when the type of recording medium Is 
level 0; 

FIG. 17 is a chart for explaining a sequence of 



check-in when the type of recording medium is level 
0; 

FIG. 18 is a chart for explaining another sequence 
of check-out when the type of recording medium is 
level 0; 

FIG. 19 is a chart for explaining another sequence 
of reproduction when the type of recording medium 
is level 0; 

FIG. 20 is a chart for explaining another sequence 
of check-in when the type of recording medium Is 
level 0; 

FIG. 21 is a chart for explaining processing opera- 
tion of a mutual authentication process (AKE); and 
FIG. 22 is a chart for explaining another processing 
operation of a mutual authentication process (AKE). 

[001 3] An embodiment of the present invention will be 
explained hereinafter with reference to the accompany- 
ing drawings. 

[0014] FIG. 1 shows an example of the arrangement 
of a music contents use management system (to be also 
simply referred to as an LCM hereinafter) which limits 
the number of copied contents that can be recorded on 
a recording medium according to this embodiment, and 
records copied contents on a medium, reproduces cop- 
ied contents recorded on a medium, and so forth. Note 
that music is used as an example of contents. However, 
the present invention is not limited to such specific con- 
tents, and movies, game software programs, and the 
like may be used. A memory card (MC) Is used as a 
medium. However, the present Invention Is not limited 
to such medium, and various other recording media 
such as a floppy disk, DVD, and the like may be used. 
[001 5] An EMD (Electronic Music Distributor) is a mu- 
sic distribution server or music distribution broadcast 
station. 

[0016] A contents use management system 1 is, for 
example, a personal computer (PC), which includes re- 
ceivers #1 to #3 corresponding to a plurality of EMDs 
(EMD#1 to EMD#3 in this case), and receives encrypted 
contents, their licenses (the use condition and decryp- 
tion key Kc for the encrypted contents), and the like dis- 
tributed by the EMDs. Receivers #1 to #3 may have a 
reproducing function or a charging function. The user 
uses the reproducing function to listen to samples of the 
distributed music contents. Also, the user can purchase 
the contents he or she likes using the charging function. 
[0017] The LCM 1 includes a secure contents server 
(Secure Music Server: SMS in this case; to be also sim- 
ply referred to as an SMS hereinafter) 2, and the con- 
tents the user has purchased are stored in the SMS 2 
via an EMD interface (l/F) 3. The music contents are 
decrypted by the EMD l/F 3 as needed, and undergo 
format conversion and re-encryption. Upon receiving 
the encrypted contents, the SMS 2 stores the received 
contents in a music data memory 1 0, and a music data 
decryption key In a license memory 9. The SMS 2 may 
have a reproducing function. With this reproducing tune- 
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tion, the music contents managed by the SMS 2 can be 
reproduced on the PC. 

[0018] The SMS 2 has a function of outputting con- 
tents data to a medium (to be also simply referred to as 
an MC (memory card) hereinafter) 1 3. The user can re- 5 
produce the contents recorded on the MC 13 by setting 
it in a recording/reproducing device (to be also simply 
referred to as a PD (Portable Device) hereinafter. 
[001 91 The SMS 2 records contents on the MC 1 3 di- 
rectly via a medium (MC) interface 6 or with the inter- 
vention of the PD 12. 

[0020] A device ID memory 4 includes, e.g., a ROM 
which stores Identification information (device ID) of the 
LCM. 

[0021 ] The MC 1 3 has identification Information (MID) 
which is unique to that medium and cannot be rewritten, 
and the contents stored in the MC 1 3 may be encrypted 
by an encryption key which depends on the MC 1 3. 
[0022] A check-in/check-out process will be explained 
first using the LCM 1 shown in FIG. 1 . 
[0023] The check-out process means making a copy 
of "parent" contents stored in the LCM 1 on the MC 13 
as "child" contents. The "child" contents can be freely 
reproduced by the PD 12, but it is not allowed to form 
"grandchild" contents from the "child". The number of 
"children" "parent" can have Is defined as an attribute of 
"parent". On the other hand, the check-in process 
means erasing (or disabling to use) "child" contents by 
the LCM 1 when the MC 13 Is connected to the LCM 1 , 
thereby recovering the right of "parent" contents in the 
LCM 1 to form one "child". This process is also called 
check-in at "parent". 

[0024] When this check-in/check-out process is sim- 
ply implemented by the conventional LCM 1 , the follow- 
ing "attack" Is present in practice. More specifically, 
"child" stored in the MC 1 3 is saved in another recording 
medium (by removing its MID), and "child" In the MC 13 
checks In at "parent". The previously saved "child" Is 
written back to that MC 13. Since check-In has already 
been done, "parent" on the LCM 1 can copy "child" on 
another MC 13. This method can form an arbitrary 
number of "children" that can be used. 
[0025] The aforementioned "attack" can be defended 
by authentication In data transfer between the MC 13 
and LCM 1. That is, assume that the MC 13 does not 
accept data transfer from an LCM other than an authen- 
tic LCM 1 , and the LCM 1 does not accept data transfer 
from an MC other than an authentic MC 1 3. In this case, 
"child" In the MC 13 cannot be saved In another record- 
ing medium. Also, disguised check-in cannot be done 
at the LCM 1. Therefore, the aforementioned "attack" is 
no longer effective. 

[0026] However, the check-in/check-out process can- 
not be implemented even under the premise of authen- 
tication between the LCM 1 and MC 13, because of the 
presence of the following "attack". That is, before "par- 
ent" on the LCM 1 forms any "child", data of the LCM 1 
(especially, information in the license memory 9) is 



backed up to another recording medium. After "child" is 
copied to the MC 1 3, the backed-up data of the LCM 1 
is restored. Since "parent" of the LCM 1 recovers the 
state before it forms "child", it can form "child" on another 
MC 13. In this manner, an arbitrary number of "children" 
can be formed. 

[0027] In order to implement the check-in/check-out 
process that can defend such attack, an area (secret 
area) which cannot be accessed by a public procedure 
is assured on the storage area of the MC 1 3, and is used 
to record information required for mutual authentication 
and Information required for contents decryption, an 
identification information (device ID) list (revocation list 
(RVC list)) of devices (LCM 1, PD 12) that cannot be 
accessed, and the like (see FIG. 2). Also, an area (se- 
cret area) that can be accessed by only a private pro- 
cedure is assured on the storage area (e.g., a hard disk 
(HDD) when the LCM 1 is constituted by a PC) of the 
LCM 1, and is used to store a guest book (to be de- 
scribed later) (see FIG. 2). Furthermore, an area (secret 
area) that can be accessed by only a private procedure 
may also be assured on the storage area of the PD 12, 
and may be used to record information required for con- 
tents decryption (see FIG. 2). Note that an area other 
than the secret area In the storage area, which can be 
accessed by a normal procedure, will be referred to as 
a public area. 

[0028] As shown in FIG. 1 , the LCM 1 includes a guest 
book memory 8 assured on the secret area, and a secret 
area driver 7 for reading data from the secret area after 
the SMS 2 executes a specific secret procedure for ac- 
cessing this guest book memory 8. 
[0029] As shown In FIG. 4C, the MC 13 includes an 
identification information memory (ROM) 13b which 
stores Identification infomnatlon MID of the MC 13, and 
cannot be extemally rewritten and copied, a secret area 
13c, a public area (rewritable RAM) 13a, and a switch 
(SW) 1 3e which opens a gate to allow access to the se- 
cret area 13c only when an authentication unit 13d au- 
thenticates and confirms an authentic partner every time 
the secret area 13c is accessed. 
[0030] Note that three different types of MCs 13 can 
be used in this embodiment. The type of MC 13 which 
has both identification Information MID and the secret 
area, as shown in FIG. 4C, is called "level 2". The type 
of MC 13 which does not have any secret area but has 
identification information MID, as shown in FIG. 4B, is 
called "level 1". The type of MC 13 which has neither 
the secret area nor identification information, and has 
only a public area, as shown In FIG. 4A, Is called "level 
0". tn order to discriminate these types, for example, lev- 
el 0 can be discriminated from other types by checking 
the presence/absence of identification information MID, 
and levels 1 and 2 can be discriminated based on the 
format of identification information MID. For example, 
when identification information is a serial number, a me- 
dium having identification information equal to or larger 
than a predetermined value is determined to be level 2. 
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[0031] An MC 13 of level 2 will be exemplified below 
unless othenA^ise specified. 

[0032] The MC 13 is set in the PD 12 connected to 
the LCM 1 or is directly set in the LCM 1 when it is used. 
[0033] FIG. 3 shows an example of the arrangement 
of the PD 12, and the MC 13 is set in a medium interface 
(l/F) 12f. When the LCM 1 reads/writes data to/from the 
MC 1 3 via the PD 1 2, it accesses the secret area of the 
MC 1 3 via a secret area access unit in the PD 12. The 
medium l/F 12f includes a secret area access unit for 
accessing the secret area of the MC 1 3. The secret area 
in the PD 1 2 may be assured on a flash memory 1 2d. A 
ROM 1 2c is written with a mutual authentication pro- 
gram between the MC 1 3 and LCM 1 , a program that 
describes an authentication procedure required for ac- 
cessing the secret area, and a program for discriminat- 
ing the type of MC 1 3. According to these programs, var- 
ious processes such as authentication, type discrimina- 
tion, and the like with the MC 1 3 are executed under the 
control of a CPU 12a. 

[0034] The ROM 1 2c may also store identification in- 
formation (device ID) of the PD 12. For example, the 
secret area assured on the flash memory 1 2d pre-stores 
a secret device ID (SPDID). 

[0035] FIG. 5 shows the arrangement of the medium 
l/F 6 of the LCM 1 . The medium l/F 6 includes an au- 
thentication unit 6c for performing mutual authentication 
with the MC 13, a medium discrimination unit 6b for de- 
termining the type of MC 1 3, and a controller 6a for con- 
trolling all these units. The authentication unit 6c also 
serves as a secret area access unit which accesses the 
secret area of the MC 13. 

[0036] The guest book stored in the secret area of the 
LCM 1 will be explained below. 
[0037] All music contents held in the SMS 2 have con- 
tents IDs (TIDs) as identification information for identi- 
fying the Individual contents, and the predetennlned 
number of contents that can be copied, i.e., the remain- 
ing number of children and a check-out list as their at- 
tribute information. This attribute information is called a 
guest book. The guest book is recorded on the guest 
book memory 8 assured on the secret area in the format 
shown in FIG. 7 A. 

[0038] Referring to FIG. 7A, the remaining number of 
children of contents ID = "TIDI" is "2* and its check-out 
list is LI . 

[0039] The check-out list is a list of identification infor- 
mation of the MCs 13 which record copied contents 
(children). For example, as can be seen from check-out 
list LI In FIG. 7A, children of the contents having a con- 
tents I D = 'Tl D r are checked out to two MCs 1 3 respec- 
tively having identification information = "ml" and "m2". 
[0040] The following items will be explained in turn be- 
low. 

1 . Outline of mutual authentication method 

2. Check-in/check-out/reproduction process of cop- 
ied contents using MC of level 2 



3. Check-in/check-out/reproduction process of cop- 
ied contents using MC of level 0 
1 . Outline of mutual authentication method 

5 [0041] In order to safely implement the check-in/ 
check-out process, mutual authentication must be done 
among the LCM 1 , PD 12, and MC 1 3 as described 
above (to confirm, e.g., if they have an identical algo- 
rithm). In general, the mutual authentication process 

10 must have secret information shared by the partners 
which are to authenticate each other. Therefore, for ex- 
ample, the MC 13, LCM 1 , and PD 12 have such secret 
information. In terms of information security, this secret 
information is preferably a dynamic one which is gener- 

15 ated to have a different value every time authentication 
is done. However, if a high-grade function of generating 
such secret information is added to the medium itself, i. 
e., the MC 1 3, the medium becomes expensive. In order 
to promote further prevalence of media to public, the 

20 medium is preferably as inexpensive as possible. 
Therefore, secret information is preferably pre-stored in 
the MC 1 3 to reduce the cost of the medium (MC 1 3). 
[0042] However, when secret information which is 
common to all media or a given number of media (such 

25 information will be referred to as global secret informa- 
tion hereinafter) is pre-stored in respective media, if the 
secret information Is read from a given medium by some 
method, other media that store identical secret informa- 
tion may be illicitly used. It is therefore very dangerous 

30 to store global secret information in media (see FIG. 8A). 
[0043] Even when secret information stored in a given 
medium is read by an unauthorized user, if it is only the 
medium from which the secret information has been 
read that can be illicitly used, no serious problem is 

35 posed. For this reason, the secret Information need only 
be unique to each medium. 

[0044] In this embodiment, secret Information for mu- 
tual authentication, which information differs in units of 
media, Is stored In each media, and the LCM 1 or PD 

40 1 2 and MC 1 3 perform mutual authentication using the 
stored information, thereby providing a safe mutual au- 
thentication method that uses a low-cost medium and 
can assure higher security. More specifically, the mutual 
authentication method described in this embodiment 

45 pre-stores, in (the secret area of) each medium (medium 
of level 2), secret information (in this case, secret medi- 
um ID (SMID): which is obtained by encrypting a medi- 
um ID using key information K|^ acquired by some meth- 
od), which differs in units of media and is required for 

50 mutual authentication (AKE), and transfers Identification 
information (MID) of that medium to the LCM 1 and PD 
1 2, as shown in FIG. 8B. The LCM 1 or PD 1 2 generates 
information (which is the same as SMID of the medium) 
for mutual authentication) using MID and information 

55 (K|^) acquired by some method in accordance with a 
predetermined algorithm and executes a mutual au- 
thentication process (AKE: authentication and key ex- 
change)). 
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[0045] In this manner, by storing unique secret infor- 
mation (SmO) in each MC 13, the LCI^ 1 or PD 12 gen- 
erates secret information (SMID) on the basis of infor- 
mation (MID) unique to each medium, which is trans- 
ferred from the medium, thereby implementing safe mu- 
tual authentication without imposing any heavy load on 
the medium. 

[0046] Note that the mutual authentication process 
according to the gist of the present invention will be re- 
ferred to as AKE hereinafter. 

[0047] When the MC 13 is set in the medium l/F 6 of 
the LCM 1 or the PD 12, mutual authentication may be 
done first between the medium l/F 6 and MC 13 or be- 
tween the PD 12 and MC 13 (step SI in FIG. 9). If it is 
determined that both of them are authentic (e.g., they 
have hardware arrangements complying with the same 
standards) (step S2), the medium l/F 6 or PD 12 deter- 
mines the type of MC 13 on the basis of identification 
information MID read from the MC 1 3 (step S3). The me- 
dium l/F 6 or PD 12 executes a check-in/check-out/re- 
production process according to the determined type 
(step S6). 

[0048] Note that mutual authentication in step S1 in 
FIG. 9 need not always be that according to the gist of 
the present invention shown in FIG. 8B. 
[0049] In the above description, three different types 
of MCs 1 3, i.e., MCs 1 3 of level Oto level 2, are available, 
but the check-in/check-out/reproduction process oper- 
ations of the copied contents in FIG. 9 and the subse- 
quent figures will be explained for two types of MCs 13, 

1. e., MCs 13 of level 0 and level 2. 

[0050] Furthermore, in accessing each others secret 
areas between the LCM 1 and MC 13, the LCM 1 and 
PD 12, and the PD 12 and MC 13, assume that they 
authenticate each other, open gates to each other's se- 
cret areas if it Is confirmed that they are authentic, and 
close the gates that allow access to the secret areas 
(although not described in the following description) af- 
ter access to the secret areas is completed. For exam- 
ple, between the LCM 1 and MC 13, the SMS 2 makes 
mutual authentication with the MC 13 so as to access 
the secret area 13c of the MC 13. If their authenticity is 
confirmed and the switch 13e opens the gate to the se- 
cret area 13c, the SMS 2 writes key information in the 
secret area 1 3c, and the switch 1 3e closes the gate that 
allows access to the secret area 13c upon completion 
of the write. 

2. Check-in/check-out/reproduction process of copied 
contents using MC of level 2 

[0051] The check-in/check-out/reproduction process 
using the MC 1 3 of level 2 with the format shown in FIG. 
4C will be explained below. 

[0052] A case will be explained below with reference 
to FIG. 10 wherein a check-out instruction is issued to 
the SMS 2 via a user interface (l/F) 1 5 or via the PD 12 
(i.e., when the MC 13 is set In the PD 12 connected to 



the LCM 1). 

[0053] The SMS 2 checks the remaining number n of 
children of contents (e.g., having a contents ID = "TID1 ") 
. corresponding to a check-out request of the guest book, 

5 If n > 0, the SMS 2 reads out the device ID (LCMID) of 
the corresponding LCM 1 from the device ID memory 4, 
and transfers it to the MC 13 (step SI 01). 
[0054] The MC 13 checks if the transferred device ID 
is registered in the RVC list (step SI 02). If the trans- 

10 ferred device ID is not registered, the MC 13 reads out 
master key K|^ by accessing the secret area 1 3c, and 
transfers it to the LCM 1 (step S1 03). Furthermore, the 
MC 1 3 reads out its identification information (MID) from 
the identification information memory 13b and transfers 

15 it to the LCM 1 (step S104). 

[0055] The LCM 1 encrypts the medium ID (MID) 
transferred from the MC 1 3 using master key to gen- 
erate Information (K^^[MID]) required for a mutual au- 
thentication process (AKE) (step S105). 

20 [0056] The LCM 1 executes the mutual authentication 
process (AKE) using the generated Information Kj^j 
[MID], while the MC 1 3 executes the mutual authentica- 
tion process (AKE) using a secret medium ID (SMID) 
(step SI 06). In this mutual authentication process 

25 (AKE), the LCM 1 and MC 13 share identical functions 
g(x, y) and H(x, y), and if the information K|^[MID] gen- 
erated by the LCM 1 is the same as the secret medium 
ID (SMID) of the MC 13, they can confirm their authen- 
ticity by the mutual authentication process (AKE). 

30 [0057] The processing operation of the mutual au- 
thentication process (AKE) In step SI 06 will be ex- 
plained below with reference to FIG. 21 . 
[0058] The LCM 1 generates random number R1 
(step S301 ), and transfers it to the MC 13. At the same 

35 time, the LCM 1 substitutes random number R1 in one 
variable of function g(x, y) having two variables. Also, 
the LCM 1 substitutes the information Km[MID] generat- 
ed in step SI 05 in FIG. 1 0 in the other variable of func- 
tion g(x, y) to obtain the value of function g (step S302). 

40 [0059] On the other hand, the MC 1 3 substitutes ran- 
dom number R1 transferred from the LCM 1 in one var- 
iable of function g(x, y), substitutes its own secret me- 
dium ID (SMID) in the other variable, and transfers the 
obtained value of function g to the LCM 1 (step S303). 

45 [0060] The LCM 1 compares the value of function g 
transferred from the MC 1 3, and that computed by itself, 
and executes a subsequent process if they match. If the 
two values do not match, the AKE process on the LCM 
1 side is canceled at that time (step 8304). 

50 [0061 ] The MC 1 3 then generates random number R2 
(step S305), and transfers it to the LCM 1 . At the same 
time, the MC 13 substitutes random number R2 in one 
variable of function g(x, y) having two variables. Also, 
the MC 13 substitutes Its secret medium ID (SMID) in 

55 the other variable of function g(x, y) to obtain the value 
of function g (step S306). 

[0062] On the other hand, the LCM 1 substitutes ran- 
dom number R2 transferred from the MC 1 3 in one var- 
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iable of function g(x, y), and substitutes the information 
K|^[MID1 generated in step SI 05 in FIG. 10 in the other 
variable of function g(x, y) to obtain the value of function 
g. The LCM 1 then transfers the obtained value to the 
MC 13 (step S307). 

[0063] The MC 13 compares the value of function g 
transferred from the LCM 1 , and that computed by itself, 
and executes a subsequent process if they match- If the 
two values do not match, the AKE process on the MC 
13 side is canceled at that time (step S308). 
[0064] If the values of function g match in step S308, 
the MC 1 3 substitutes random number R2 in one varia- 
ble of function H(x, y) having two variables, and its se- 
cret medium ID (SMtO) in the other variable to generate 
key information KT (step S309). 
[0065] Also, if the values of function g match in step 
S304, the LCM 1 substitutes random number R2 trans- 
ferred from the MC 13 in one variable of function H(x, 
y), and substitutes the information K,yj[MID] generated 
in step S1 05 in FIG. 10 in the other variable to generate 
l<ey information KT (step S310). 

[0066] Note that two pieces of l<ey information KT, 
which are generated by the LCM 1 and MC 13 using the 
identical function H(x, y) if it is determined in steps S304 
and S308 that the values of function g match, are the 
same ones. The LCM 1 and MC 1 3 then exchange con- 
tents decryption key Kc using this key information KT. 
[0067] The mutual authentication process (AKE) pref- 
erably generates different key information KT in each 
authentication in terms of security. In this case, since 
random number R2 newly generated for each authenti- 
cation is substituted in one of two variables which are 
substituted in function H used to generate key informa- 
tion KT, different key information KT can be generated 
for each authentication. 

[0068] Ref emng back to FIG. 1 0, if the LCM 1 and MC 
13 confirm in step SI 06 that they are authentic, the MC 
1 3 stores the generated key information KT (in this case, 
KT1 ) in the secret area (step SI 07). The LCM 1 encrypts 
a decryption key (contents decryption key) Kc used to 
decrypt the encrypted contents (KT1 [Kc]) using the key 
information KT1 generated in step 8106, and transfers 
it to the MC 13 (steps S108 and S109). Also, the LCM 
1 encrypts contents C using Kc (Kc[C]), and transfers 
the encrypted contents to the MC 13 (steps 8110 and 
8111). 

[0069] Finally, the SMS 2 subtracts M" from the re- 
maining number n of children of the contents with the 
contents ID = "T1D1 " corresponding to the check-out re- 
quest of the guest book, and adds identification infor- 
mation "mO" of that MC 1 3 in check-out list LI , as shown 
In FIG. 7B. 

[0070] The MC 13 stores transferred encrypted con- 
tents decryption key KT1 [Kc] and encrypted contents Kc 
[C] in the public area 13a. 

[0071] FIG. 6 shows the storage contents of the MC 
13 at completion of the aforementioned processes. 
[0072] A case will be explained below with reference 



to FIG. 11 wherein a reproduction instruction is issued 
to the SMS 2 via the user interface (l/F) 15 of the LCM 
1 or to the PD 12. 

[0073] The PD 12 or LCM 1 transfers its own device 

5 ID totheMC13 (step 8121). 

[0074] If the LCM 1 has the same contents reproduc- 
ing function (demodulator 12g, decoder 12h, D/A con- 
verter 1 2i, and the like) as that the PD 1 2 shown in FIG. 
3, the contents of the MC 1 3 can be similarly reproduced 

10 by the PD 1 2 and LCM 1 . A reproduction process by the 
PD 1 2 will be exemplified below. 
[0075] The MC 1 3 checks If the transferred device ID 
is registered in the RVC list (step SI 22). If the device ID 
is not registered, the MC 13 reads out master key K^ 

15 by accessing the secret area 1 3c, and transfers it to the 
PD 12 (step 8123). Furthermore, the MC 13 reads out 
its identification information (MID) from the identification 
information memory 13b and transfers it to the PD 12 
(step SI 24). 

20 [0076] The PD 12 encrypts the medium ID (MID) 
transferred from the MC 1 3 using master key K^ to gen- 
erate information (K^^[MID]) required for a mutual au- 
thentication process (AKE) (step SI 25). 
[0077] The PD 1 2 executes the mutual authentication 

25 process (AKE) using the generated information Kj^ 
[MID], while the MC 13 executes the mutual authentica- 
tion process (AKE) using a secret medium ID (SMID) 
(step SI 26). Since the mutual authentication process in 
step SI 26 is the same as that shown in FIG. 21 , a de- 

30 scription thereof will be omitted. 

[0078] If the PD 12 and MC 13 confirm that they are 
authentic, the MC 13 encrypts key information KT1 
stored in the secret area 13c using the generated key 
information KT (in this case, KT2) (KT2[KT1 ]) and trans- 

35 fers it tothe PD 12 (steps S127 and 81 28). On the other 
hand, the PD 1 2 can decrypt KT2[KT1 ] transferred from 
the MC 1 3 using key information KT2 generated in step 
8126 (step SI 28). 

[0079] The MC 13 reads out encrypted contents de- 
40 cryption key KT1 [Kc] and encrypted contents Kc[Cl from 
the public area 13a and transfers them to the PD 12 
(steps 8129 and 8131). 

[0080] If key information KT1 has been successfully 
decrypted, the PD 12 can obtain contents decryption 

45 key Kc by decrypting contents decryption key KT1 [Kc] 
which was encrypted using KT1 (step 8130). Accord- 
ingly, it decrypts encrypted contents Kc[C] using that 
contents decryption key Kc to obtain contents C (step 
SI 32). In the PD 1 2, the decoder 1 2h decodes contents 

so c, and the D/A converter 1 21 converts the decoded con- 
tents from a digital signal into an analog signal, thereby 
reproducing the copied contents (e.g., music) recorded 
on the MC 13. 

[0081] A case will be explained below with reference 
55 to FIG. 1 2 wherein a check-in instruction is issued to the 
SMS 2 via the user interface (l/F) 1 5 of the LCM 1 or via 
the PD 1 2 (i.e., when the MC 1 3 is set in the PD 1 2 con- 
nected to the LCM 1). 
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[0082] The SMS 2 reads out the device ID (LCMID) 
of that LCM 1 from the device ID memory 4, and trans- 
fers it to the MC 13 (step SI 41). 
[0083] The MC 1 3 checks if the transferred device ID 
is registered in the RVC list (step SI 42). If the trans- 5 
ferred device ID Is not registered, the MC 13 reads out 
master key Kf^ by accessing the secret area 1 3c, and 
transfers it to the LCM 1 (step SI 43). Furthermore, the 
MC 1 3 reads out its identification information (MID) from 
the identification information memory 13b and transfers 
it to the LCM 1 (step S144). 

[0084] The LCM 1 encrypts the medium ID (MID) 
transferred from the MC 1 3 using master key K,^ to gen- 
erate Information (K^tMID]) required for a mutual au- 
thentication process (AKE) (step 8145), 
[0085] The LCM 1 executes the mutual authentication 
process (AKE) using the generated information K)^ 
[MID], while the MC 1 3 executes the mutual authentica- 
tion process (AKE) using a secret medium ID (SMID) 
(step 8146). 

[0086] The mutual authentication process (AKE) of 
step 8146 in check-in will be explained below with ref- 
erence to FIG. 22. Note that the same reference numer- 
als denote the same portions as those in FIG. 21 , and 
only different portions will be explained below. That is, 
in FIG. 22 if it is determined in step S308 that the values 
of function g match, the value of flag information Fake 
is set to be "true" (indicated by "T" in FIG. 22) in place 
of generating key information KT; if they do not match, 
the value of flag information Fake is set to be "false" (in- 
dicated by "F" in FIG. 22) (steps S321 and S322). If the 
values of function g match in step S304, the LCM 1 out- 
puts only that determination result in place of generating 
key information KT. 

[0087] Referring back to FIG. 12, if the LCM 1 con- 
firms authenticity of the MC 13 in step SI 46 (step S304 
In FIG. 22), it instructs the MC 13 to delete key Informa- 
tion KT1 stored in the secret area 13c of the MC 13. 
Upon receiving this instruction, the MC 13 checks the 
value of flag information Fake. If Fake = "T", the MC 13 
deletes key information KT1 from the secret area 13c, 
and rewrites flag information Fake to "F" (steps SI 47 
and SI 48). At this time, the encrypted contents stored 
in the public area 1 3a of the MC 1 3 may be erased by 
overwriting random numbers generated by the LCM 1 
on them. 

[0088] Finally, as shown in FIG. 7C, the SMS 2 adds 
"1 " to the remaining number n of the contents with the 
contents ID = "TID1 " corresponding to the check-in re- 
quest of the guest book, and deletes identification infor- 
mation mO of that MC 13 from check-out list LI . 
[0089] On the other hand, if the value of flag informa- 
tion Fake is "F", the subsequent process is canceled. 
[0090] The processing operation in check-out, which 
is different from that shown In FIG. 1 0, will be described 
below with reference to FIG. 1 3. Note that the same ref- 
erence numerals denote the same portions as those In 
FIG. 1 0, and only different portions will be explained be- 



low. That is, FIG. 1 3 is characterized by a process for 
contents decryption key Kc to be transferred to the MC 
13. 

[0091] Referring to FIG. 13, the LCM 1 encrypts con- 
tents decryption key Kc using K^4[MID] (to be expressed 
by w hereinafter) generated in step SI 05 (step SI 62). 
The LCM 1 further encrypts contents decryption key Kc 
encrypted by w (w[Kc]) using key Information KT1 gen- 
erated In the mutual authentication process (AKE) in 
step SI 06 (KT1 [w[Kc]]), and then transfers it to the MC 
13 (step SI 63). 

[0092] The MC 13 decrypts the transferred KT1[w 
[Kc]] using key information KT1 generated in the mutual 
authentication process (AKE) in step SI 06 to obtain w 
[KcJ, and stores it In the secret area 13c (step 8164). 
[0093] Contents C are encrypted using Kc (step 
SI 65), and are then transferred to the MC 13 (step 
SI 66) as In FIG. 10. 

[0094] The reproduction process corresponding to 
the check-out process shown in FIG. 13 will be ex- 
plained below with reference to FIG. 14. Note that the 
same reference numerals denote the same portions as 
those in FIG. 11, and only different portions will be ex- 
plained below. More specifically, in FIG. 14 the MC 13 
encrypts encrypted contents decryption key w[Kc] 
stored in the secret area 1 3c using key information KT2 
generated in the mutual authentication process (AKE) 
in step SI 26 (KT2[w[Kc]]), and then transfers it to the 
LCM 1 or PD 12 (step SI 72). The LCM 1 or PD 12 de- 
crypts KT2[w[Kc]] transferred from the MC 1 3 using key 
Information KT2 generated In step S126 (step SI 73), 
and decrypts the obtained w[Kc] using w = K|^[KID] gen- 
erated In step SI 23 to obtain contents decryption key 
Kc (step SI 74). The LCM 1 or PD 12 decrypts encrypted 
contents Kc[C] using this contents decryption key Kc to 
obtain contents C (step SI 75). In the LCM 1 or PD 12, 
the decoder 1 2h decodes contents C, and the D/A con- 
verter 121 converts the decoded contents from a digital 
signal into an analog signal, thereby reproducing the 
copied contents (e.g., music) recorded on the MC 13. 
[0095] The check-In process corresponding to the 
check-out process shown in FIG. 13 is substantially the 
same as that described with reference to FIG. 1 2, except 
that contents decryption key w[Kc] encrypted by w = K^/, 
[MID] is deleted from the secret area 13c of the MC 13 
in step'S148 in place of key information KT1 . 

3. Check-in/check-out/reproduction process of copied 
contents using MC of level 0 

[0096] Tlie check-in/check-out and reproduction 
processes using the MC 13 of level 0 with the fomiat 
shown In FIG. 4A will be explained below. 
[0097] In this case, the MC 1 3 is set in the PD 1 2, and 
executes a check-out process with the LCM 1 via the 
PD 12. The basic operation Is the same as that of the 
MC 13 of level 2. However, In case of level 0, since the 
MC 13 has neither a secret area nor a medium ID, the 
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PD 1 2 executes a process shown in FIG. 1 0 with respect 
to the LCM 1 in place of the MC 1 3 of level 0. For this 
purpose, the secret area of the PD 1 2 pre-stores master 
key K|^, secret device key SPDID, and a revocation list 
(RVC list). Note that master key K^y, need only have the s 
same function as that of master key K^^ stored in the MC 
13, but data itself need not be the same. 
[0098] In step S3 in FIG. 9, the type of MC 1 3 is de- 
termined to be level 0. 

[0099] A case will be explained below with reference 
to FIG. 15 wherein a check-out instruction is issued to 
the SMS 2 vi§t a user interface (l/F) 1 5 or via the PD 1 2. 
[0100] The SMS 2 checks the remaining number n of 
children of contents (e.g., having a contents ID = "TID1 ") 
corresponding to a check-out request of the guest book. 
If n > 0, the SMS 2 reads out the device ID (LCMID) of 
the corresponding LCM 1 from the device ID memory 4, 
and transfers it to the PD 1 2 (step S201 ). 
[0101] The PD 1 2 checks If the transferred device ID 
is registered in the RVC list (step 8202). If the trans- 
ferred device ID is not registered, the PD 12 reads out 
master key K^;, by accessing its secret area, and trans- 
fers it to the LCM 1 (step 3203). Furthermore, the PD 
1 2 reads out Its identification information, i.e., the device 
ID (PDID) from, e.g., the ROM 12c, and transfers it to 
the LCM 1 (step S204). 

[0102] The LCM 1 encrypts the device ID (PDID) 
transferred from the PD 12 using master key to gen- 
erate information (K{^[PDID]) required for a mutual au- 
thentication process (AKE) (step S205). 
[0103] The LCM 1 executes the mutual authentication 
process (AKE) using the generated information Kf^ 
[PDID), while the PD 12 executes the mutual authenti- 
cation process (AKE) using a secret device ID (SPDID) 
(step S206). Since the mutual authentication process in 
step S206 is the same as that shown in FIG. 21 , a de- 
scription thereof will be omitted. 
[0104] If the LCM 1 and MC 13 confirm that they are 
authentic, the PD 12 stores the generated key informa- 
tion KT (in this case, KT1 ) in the secret area (step 8207). 
The LCM 1 encrypts a decryption key (contents decryp- 
tion key) Kc used to decrypt the encrypted contents 
(KT1 [Kc]) using the key information KT1 generated in 
step S206, and transfers it to the MC 13 via the PD 12 
(steps S208 and S209). Also, the LCM 1 encrypts con- 
tents C using Kc (Kc[C]), and transfers the encrypted 
contents to the MC 13 via the PD 12 (steps S210 and 
S211). 

[0105] Finally, the SMS 2 subtracts T from the re- 
maining number n of children of the contents with the 
contents ID = "TID1 ' corresponding to the check-out re- 
quest of the guest book, and adds Identification infor- 
mation "mO" of that MC 1 3 in check-out list LI , as shown 
in FIG. 7B. 

[0106] The MC 13 stores transferred encrypted con- 
tents decryption key KT1 [Kc] and encrypted contents Kc 
[C] in the public area 13a. 

[0107] FIG. 6 shows the storage contents of the MC 



13 at completion of the aforementioned processes. 
[0108] The processing operation between the PD 12 
and MC 13 when the PD 12 receives a reproduction in- 
struction will be explained below with reference to FIG. 
16. 

[0109] The MC 13 transfers encrypted contents de- 
cryption key KT1[Kc] recorded on its public area to the 
PD 12 (step S221). If the PD 12 is the one which was 
used to check out the contents to be reproduced with 
respect to the MC 13, it must store key information KT1 
for decrypting the encrypted contents decryption key in 
its secret area (see step S207 in FIG. 15). Therefore, 
such authentic PD 12 can obtain contents decryption 
key Kc by decrypting KT1 [Kc] transferred from the MC 
13 using key information KT1 read out from its secret 
area (step S222). Furthermore, the PD can obtain con- 
tents C by decrypting encrypted contents Kc[C] trans- 
ferred from the MC 13 using that contents decryption 
key Kc (steps 3223 and 3224). In the PD 1 2, the decod- 
er 12h decodes contents C, and the D/A converter 12i 
converts the decoded contents from a digital signal into 
an analog signal, thereby reproducing the copied con- 
tents (e.g.f music) recorded on the MC 13. 
[011 0] A case will be explained below with reference 
to FIG. 17 wherein a check-in instruction is issued to the 
SMS 2 via the PD 12 (i.e., using the MC 13 set in the 
PD 1 2 connected to the LCM 1 ). In this case as well, the 
PD 1 2 executes a process shown in FIG. 1 2 with respect 
to the LCM 1 in place of the MC 13 of level 0 as in the 
check-out process. 

[0111] Tlie SMS 2 reads out the device ID (LCMID) 
of that LCM 1 from the device ID memory 4, and trans- 
fers it to the PD 12 (step S231). 
[0112] The PD 12 checks if the transferred device ID 
is registered in the RVC list (step 3232), If the trans- 
ferred device ID is not registered, the PD 12 reads out 
master key by accessing its secret area, and trans- 
fers it to the LCM 1 (step S233). Furthermore, the PD 
12 reads out its identification information (PDID) and 
transfers it to the LCM 1 (step 8234). 
[0113] The LCM 1 encrypts the device ID (PDID) 
transferred from the PD 1 2 using master key K^/, to gen- 
erate information (K^^[PDID]) required for a mutual au- 
thentication process (AKE) (step 3235). 
[01 1 4] The LCM 1 executes the mutual authentication 
process (AKE) using the generated information K^^, 
[PDID], while the PD 12 executes the mutual authenti- 
cation process (AKE) using a secret device ID (SPDID) 
(step 8236). 

[01 1 5] Since the mutual authentication process (AKE) 
of step 8236 in check-in Is substantially the same as 
that shown in FIG. 22 except that K,y/|[PDID] replaces K^ 
[MID], and the secret device ID (SPDID) replaces the 
secret medium ID (SMID), a description thereof will be 
omitted. 

[01 16] If the LCM 1 confirms authenticity of the PD 1 2 
in step S236 (step 3304 in FIG. 22), it instructs the PD 
12 to delete key information KT1 stored in Its secret ar- 
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ea. Upon receiving this instruction, the PD 12 checks 
the value of flag information Fake. If Fake = T", the PD 
12 deletes key infonnation KT1 fronn its secret area, and 
rewrites flag information Fake to "F" (steps S237 and 
S238). At this time, the encrypted contents stored in the 
public area 13a of the MC 13 may be erased by over- 
writing random numbers generated by the LCM 1 on 
them, 

[0117] Finally, as shown in FIG. 7C, the SMS 2 adds 
"1" to the remaining number n of the contents with the 
contents ID = 'TID1'* corresponding to the check-in re- 
quest of the guest book, and deletes identification infor- 
mation mO of that MC 1 3 from check-out list L1 . 
[01 1 8] On the other hand, if the value of flag infomna- 
tion Fake is "F", the subsequent process is canceled. 
[0119] The processing operation in check-out, which 
is different from that shown in FIG. 1 5, will be described 
below with reference to FIG. 1 8. Note that the same ref- 
erence numerals denote the same portions as those in 
FIG. 1 5, and only different portions wilt be explained be- 
low. That is, FIG. 18 is characterized by a process for 
contents decryption key Kc to be transferred to the PD 
12. as in FIG. 13. 

[0120] Referring to FIG. 18, the LCM 1 encrypts con- 
tents decryption key Kc using K|^[PDID] (to be ex- 
pressed by w hereinafter) generated in step S205 (step 
S252). The LCM 1 further encrypts contents decryption 
key Kc encrypted by w (w[Kc]) using key infonnation 
KT1 generated in the mutual authentication process 
(AKE) in step 8251 (KT1 [w[Kc]]), and then transfers it 
to the PD 12 (step 8253). 

[01 21 ] The PD 1 2 decrypts the transferred KT1 [w[Kc]] 
using key information KT1 generated in the mutual au- 
thentication process (AKE) in step S251 to obtain w[Kc], 
and stores it in the secret area (step S254). 
[0122] Contents C are encrypted using Kc (step 
S255), and are then transferred to the MC 1 3 via the PD 
12 (step S256), as in FIG. 15. 

[0123] The reproduction process corresponding to 
the check-out process shown in FIG. 18 will be ex- 
plained below with reference to FIG. 19. Note that the 
same reference numerals denote the same portions as 
those in FIG. 18, and only different portions will be ex- 
plained below. More specifically, in FIG. 19 the PD 12 
can obtain contents decryption key Kc by decrypting en- 
crypted contents decryption key w[Kc] stored in its se- 
cret area using its secret device ID (8PDID = w) (step 
8261). The PD 12 can obtain contents C by decrypting 
encrypted contents Kc[C] transfenred from the MC 13 
using that contents decryption key Kc (step S262). In 
the PD 12, decoder 12h decodes contents C, and the 
D/A converter 12i converts the decoded contents from 
a digital signal into an analog signal, thereby reproduc- 
ing the copied contents (e.g., music) recorded on the 
MC13. 

[0124] The check-in process corresponding to the 
check-out process shown in FIG. 18 will be described 
below with reference to FIG. 20. Note that the descrip- 



tion of FIG. 20 is substantially the same as that of FIG. 
1 7, except that contents decryption key w[Kcl encrypted 
by w = Km[PD1D] is deleted from the secret area of the 
PD 12 in step 8238 in place of key infomnation KT1 . 
5 [0125] As described in detail above, according to the 
present invention, safe mutual authentication with high 
security can be implemented using a low cost recording 
medium. 



Claims 

1 . A mutual authentication method for use between a 
recording apparatus which records copied contents 
on a recording medium having an arithmetic 
processing function, and the recording medium, 
said method comprising the steps of 

storing in the recording medium at least first 
infonnation (MID) which depends on the recording 
medium, and second infonnation (SMID) which Is 
to be shared by the recording apparatus in execut- 
ing mutual authentication with the recording appa- 
ratus and depends on the recording medium; and 

generating by the recording apparatus au- 
thentication information (K|^[MID]) used in mutual 
authentication with the recording medium on the ba- 
sis of the firs infonnation (MID) obtained from the 
recording medium, and executing mutual authenti- 
cation between the recording apparatus and the re- 
cording medium using the generated authentication 
infonnation (Kp(4[MID]) and the second infonnation 
(SMID), wherein 

the authentication infonnation (K|^[MID]) is 
generated using an encryption key (K|^) and the first 
information (MID) obtained from the recording me- 
dium, not using another identification information, 
and 

the execution of the mutual authentication in- 
cludes the steps of: 

generating a random number (R1) in the re- 
cording apparatus and transferring the random 
number (R1) to the recording medium, 
generating a first function (g) in the recording 
apparatus using the generated authentication 
infonnation (K|^[MID]) and the generated ran- 
dom number (R1), not using another identifica- 
tion infonnation, 

generating a second function (g) in the record- 
ing medium using the generated second infor- 
mation (SMID) and the transferred random 
number (R1), not using another identification 
infonnation, and transferring the second func- 
tion (g) to the recording apparatus, and 
comparing the generated first function (g) with 
the generated second function (g) in the record- 
ing apparatus. 
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2. A mutual authentication method for use between a 
reproducing apparatus which reproduces copied 
contents recorded on a recording medium having 
an arithmetic processing function, and the record- 
ing medium, said method comprising the steps of: s 

preparing the recording medium storing at least 
first information (MID) which depends on the re- 
cording medium, and second infomnation 
(SMID) which is to be shared by the reproduc- io 
ing apparatus in executing mutual authentica- 
tion with the reproducing apparatus and de- 
pends on the recording medium; and 
generating by the reproducing apparatus au- 
thentication infomnation (K|vi[MiD]) used in mu- is 
tual authentication with the recording medium 
on the basis of the first information (MID) ob- 
tained from the recording medium, and execut- 
ing mutual authentication between the repro- 
ducing apparatus and the recording medium 20 
using the generated authentication infonmation 
(K|^[MID]) and the second information (SMID), 
wherein 

the authentication infomnation (K|^[MID]) is 
generated using an encryption Icey (K^) and the 25 
first information (MID) obtained from the re- 
cording medium, not using another identifica- 
tion information, and 

the execution of the mutual authentication in- 
cludes the steps of: 30 

generating a random number (R1) in the 
reproducing apparatus and transferring the 
random number (R1) to the recording me- 
dium, 35 
generating a first function (g) in the repro- 
ducing apparatus using the generated au- 
thentication information (i<A/|[MID]) and the 
generated random number (R1), not using 
another identification infonmation, 40 
generating a second function (g) in the re- 
cording medium using the generated sec- 
ond information (SMID) and the transferred 
random number (R1), not using another 
identification information, and transferring 
the second function (g) to the reproducing 
apparatus, and 

comparing the generated first function (g) 
with the generated second function (g) in 
the reproducing apparatus. so 

3. A recording apparatus for recording copied con- 
tents on a recording medium while limiting the 
number of copied contents to be recorded on the 
recording medium, said apparatus comprising: ss 

generation means for generating authentica- 
tion infomnation (K^^[MID1), which is used in mu- 



tual authentication with the recording medium 
and is to be shared by the recording medium, 
on the basis of first infomnation (MID) which is 
obtained from the recording medium and de- 
pends on the recording medium; and 
mutual authentication means for executing mu- 
tual authentication with the recording medium 
using the authentication information (K{y/|[MID]) 
generated by said generation means, wherein 
the authentication infomnation (Kj^[MID]) is 
generated using an encryption key (K^^) and the 
first information (MID) obtained from the re- 
cording medium, not using another identifica- 
tion infomnation. and 

the mutual authentication means includes 
means for generating a random number (Rl) 
and transferring the random number (R1 ) to the 
recording medium, 

means for generating a first function (g) using 
the generated authentication infomnation (KM 
[MID]) and the generated random number (Rl ), 
not using another identification information, 
means for receiving from the recording medium 
a second function (g) generated using second 
information (SMID) and thetransfen^ed random 
number (R1), not using another identification 
information, and 

means for comparing the generated first func- 
tion (g) with the received second function (g). 

4. A reproducing apparatus for reproducing copied 
contents recorded on a recording medium while lim- 
iting the number of copied contents to be recorded 
on the recording medium, said apparatus compris- 
ing: 

generation means for generating authentica- 
tion information (K|^[MID]), which is used in mu- 
tual authentication with the recording medium 
und is to be shared by the recording medium, 
on the basis of first information (MID) whish is 
obtained from the recording medium and de- 
pends on the recording medium; and 
mutual authentication means for executing mu- 
tual authentication with the recording medium 
using the authentication infomnation (K,^[MID]) 
generated by said generation means, wherein 
the authentication information (K,y,[MID]) is 
generated using an encryption key (Kf^) and the 
first infomnation (MID) obtained from the re- 
cording medium, not using another identifica- 
tion information, and 

the mutual authentication means includes 
means for generating a random number (Rl) 
and transferring the random number (R1 ) to the 
recording medium, 

means for generating a first function (g) using 
the generated authentication information (K^ 



12 



21 



EP 1 441 340 A2 



[MID]) and the generated random number (R1 ), 
not using another identification Information, 
means for receiving from the recording medium 
a second function (g) generated using second 
infomnation (SM ID) and the transferred random s 
number (R1), not using another Identification 
information, and 

means for comparing the generated first func- 
tion (g) with the received second function (g). 

10 

A recording medium having an arithmetic process- 
ing function, comprising: 



storage means for pre-storing first information 
(MID) which Is unique to said recording medi- is 
urn, and second infomiation (SMID) which Is to 
be shared by a recording apparatus for record- 
ing copied contents on said recording medium 
and a reproducing apparatus for reproducing 
the copied contents in executing mutual au- 20 
thentication among the recording medium, the 
recording apparatus, and the reproducing ap- 
paratus, and depends on said recording medi- 
um; and 

mutual authentication means for executing mu- 25 
tual authentication between the recording me- 
dium and the recording apparatus, and be- 
tween the recording medium and the reproduc- 
ing apparatus using authentication infomiation 
(K|^[MID]) generated based on the first Infomna- 30 
tlon (MID) by the recording apparatus and the 
reproducing apparatus, and the second infor- 
mation (SMID), wherein 
the authentication infomiation (K,^[MID]) is 
generated using an encryption Icey (K|^) and the 35 
first Infomnation (MID) obtained from the re- 
cording medium, not using another identifica- 
tion Information, and 

means for generating random number (R2) and 
transferring the random number (R2) to one of 40 
the recording apparatus and the reproducing 
apparatus, 

means for generating a first function (g) using 
the second information (SMID) and the gener- 
ated random number (R2), not using another ^ 
identification information, 
means for receiving from the one of the record- 
ing apparatus and the reproducing apparatus a 
second function (g) generated using the au- 
thentication Information (Kf^[MID]) and the so 
transfen^ed random number (R2), not using an- 
other identification information, and 
means for comparing the generated first func- 
tion (g) with the received second function (g). 
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